Dive Brief:

• The Office of Management and Budget (OMB) gave federal departments and agencies until FY2024 to implement its zero-trust security goals, according to an announcement from the White House Wednesday. The model agencies will replicate was developed by the Cybersecurity and Infrastructure Security Agency (CISA). 
• CISA's zero-trust model has five pillars: identity, devices, networks, applications and workloads, and data. "It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction," Shalanda Young, OMB acting director, said in the memo. 
• President Joe Biden's May cybersecurity executive order gave agencies liberties for developing their own plans for zero-trust implementation. Agencies have 60 days to submit plans to OMB and CISA, including the other requirements within the memorandum. 

Dive Insight:

All department and agency heads are assigned to implement zero trust is the latest step of the Biden administration's federal cybersecurity strategy. The memo directs agencies to "internally source funding" in FY2022 and FY2023, or "seek funding from alternative sources," to reach the priority goals of the memo. Alternative funding sources include the Technology Modernization Fund, the memo said. 

Current cybersecurity efforts need funding. Eventually Matt Keller, VP of federal services at GuidePoint Security, wants to see the government collaborate with system integrators to complement NIST's risk management framework. The government could also leverage contract awards for executing more goals. 

Zero trust has been a familiar concept in the security community for more than a decade, and "most places were doing a zero trust-lite," Keller told Cybersecurity Dive by email. "Our adversaries will always poke at our strategies, and by releasing some of the details in the memo threat actors have information to create playbooks" on how the U.S. is developing its capabilities. 

The memo outlines starting points and priorities but maintains it is not a comprehensive guide to achieving goals.

OMB acknowledges the architecture will challenge existing notions of datasets in agencies' data management. And the government has struggled with data classification and involving industry with penetration testing and reviewing software source code, according to Keller. 

Vendors have been looped into the government's goals, according to Keller. But "it's also causing confusion amongst agencies," because traditional vendors either can't offer a singularly zero-trust technology, or they don't have executable zero trust. 

Zero-trust architectures are built on existing solutions, such as MFA and device inventory management. But Keller warns it's "concerning that they aren't looking at a more comprehensive cloud security strategy beyond using zero trust because cloud security should utilize zero trust principals but has many different focuses." 

Likewise with devices, agencies have grappled with scaling security tools before. OMB wants agencies to have users log into applications as opposed to networks — even with public internet-facing apps. "Every application should be treated as internet-accessible from a security perspective," the memo said. This means, using CISA's zero-trust model, agencies will need to shift away from requiring application access routed through certain networks. 

"I'm excited we are finally getting direct guidance from an administration on cyber. Before it was left up to individual agencies to build a strategy and then execute," said Keller. A whole-government approach to cyber strategies will eliminate inconsistencies in protections.